Score:-2

Problem understanding the difference between passphrase and keyfiles

ca flag

Ok, so I have read a few different articles on subject and am maybe just just having problems understanding the point of view from the program I am using or maybe not IDK. Anyhow, ill get into it. The difference between a passphrase and a keyfile from my Ex. --> So in EncryptPad there are a couple icons at the top of the program. One is a lock or if you just click save on the document it will ask you to set a passphrase. Well if I click on the key icon it will ask me if I want to generate a keyfile then where I want to save it and then set a passphrase to generate the key file from. I understand that the keyfile is generated from the passphrase. However, if I just click save on the document it will only ask me to set a passphrase. So what is the difference between just setting a passphrase when saving the file and manually generating a keyfile first. Next if I generate a keyfile do I need to keep that file safe as well from lets say someone getting it? My last question has to do with ZIP files or RAR files. When someone attempts to crack a password they use a program and a wordlist. So how/why would something like a zip/rar file be faster to crack as opposed to say something like a veracrypt container? If anyone can attempt to explain this in idiot terms I would appreciate it. Thank ya :)

DannyNiu avatar
vu flag
This is not Twitter, you can (and ought to) separate key points into paragraphs.
Score:2
si flag

A passphrase is a secret phrase, ideally randomly generated from a large word list. EG "SportyBoroughSubtitleHandclapMundanePostnasalCladPassableDuvetFootwear" is a passphrase. I generated that from a list of 7776 words, and it has 10 words in it, so it has about 128 bits of entropy.

A keyfile is a file containing a cryptographic key. A cryptographic key (for symmetric encryption, which is the type usually used when dealing with keyfiles) is at least 112 bits of random binary data (usually 128 or 256 bits). It's not text.

Encryption algorithms use keys, not passphrases (or passwords). Some programs will use a "Password Hashing Function" to derive a key from a password, and then use that key to perform encryption or decryption. Programs like Veracrypt actually generate one key randomly, use that key to encrypt the data of interest, and then encrypt the first key with a key derived from the user's passphrase. That lets the user change their passphrase without having to re-encrypt large amounts of data, instead they only have to re-encrypt the first key.

Encryption is at most as strong as the key, or the passphrase used to derive the key. This strength is measured in "bits of entropy" and depends on the length of the key (or passphrase) and the process used to create that key (anything other than uniform random choice lowers the entropy). Zip and Rar can be just as slow to crack as Veracrypt if appropriate versions of the software are used (some old versions didn't use strong encryption methods) and the passphrase is long enough.

Keyfiles containing secret or private should always be kept secret.

One common use of keyfiles is for password managers like KeePassXC and Bitwarden. When they use keyfiles the keyfile is used in addition to the user's passphrase, both are needed to decrypt the password database. The keyfile thus serves as a second factor needed to decrypt the database. The database can be safely synchronized via cloud storage like Dropbox or iCloud, while the keyfile should be transferred between devices only via local means like a USB cable. Without both the keyfile and the passphrase, the database can't be decrypted.

I'm not familiar with EncryptPad, so I can't answer specific questions about it, and questions about particular software are off-topic on this site anyway.

fgrieu avatar
ng flag
Summary: when there are related passphrase and keyfile, the passphrase is the (symmetric) key to the keyfile. The keyfile acts as a vault containing another (usually asymmetric / private) key.
Rideboards avatar
ca flag
Thank you for your response. So would I be correct to assume that whetn saving a document if it only asks me to set a passphrase that it is most likely not encrypted if it does not mention anywhere about creating a key from it?
SAI Peregrinus avatar
si flag
No, that's a poor assumption, because it doesn't have to mention its internal workings.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.